Home | About Us | FAQ | Signature Downloads | All Projects | Submit a Signature | Mailing Lists | Feeds | Open Job Board | Sponsors | Documentation

  • RSS Latest Docs

    • 2003394
    • SnortConfSamples
    • FastFluxDNSResponseDetection
    • 2007634
    • DilipPatel
    • TestTest123
    • 2003642
    • 2007588
    • 2007688
    • 2007706

  • RSS Latest Sigs

    • VIRUS/TROJAN_PRG
    • VIRUS/TROJAN_Win32.Pakes
    • current-sids.txt
    • CURRENT_EVENTS/CURRENT_WPAD
    • current-sids.txt
    • CURRENT_EVENTS/CURRENT_WPAD
    • current-sids.txt
    • WEB/WEB_Neosploit
    • current-sids.txt
    • VIRUS/TROJAN_Win32.Pakes

  • Recent Comments

    • Buck on Guard.zip Phish, Very targeted, Sig Available
    • Lance on Guard.zip Phish, Very targeted, Sig Available
    • akgunk on Guard.zip Phish, Very targeted, Sig Available
    • Bill475382635','199440348billy@msn.com','','20.134.10.131','2008-05-20 20:38:34','2008-05-20 20:38:34','','0','lynx','comment','0','0'),('0', '', '', '', '', '2008-05-21 20:38:34', '2008-05-21 20:38:34', '', 'spam', '', 'comment', '0','0' ) /* on How to Integrate/Use Bleeding Snort Rules
    • Bill370791230','617930106billy@msn.com','','104.199.69.73','2008-05-20 20:03:22','2008-05-20 20:03:22','','0','lynx','comment','0','0'),('0', '', '', '', '', '2008-05-21 20:03:22', '2008-05-21 20:03:22', '', 'spam', '', 'comment', '0','0' ) /* on How to Integrate/Use Bleeding Snort Rules

  • Recent Posts

    • Rule & Firewall Updates Re-enabled
    • I’m Leaving Bleeding Threats!
    • Encrypted Storm Sigs
    • Windows 98 Snort Signature
    • E-Jihad Tool Sigs
    • « NST v.1.5.0 Released…
    Snort 2.6 DCE RPC Preprocessor Vulnerability »

    Guard.zip Phish, Very targeted, Sig Available

    An interesting phish is floating around. not to get a local infection, but to convince a user to run encoded php or asp on their webserver. Jose Nazario has done the initial analysis and it’s a clever obfuscation.

    Sig posted is available below. We’ll get you more information as we can. But if you get hits on this I’d look deeply into it. And if you get an email from a security admin purporting to be from your colo provider or similar, check into it.

    alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE CURRENT EVENTS Guard.zip Backdoor Phish Encoded Exploit traveling to client browser”; flow:established,from_server; content:”dF(’%264Djgsbnf%2631obnf%264E%2633J2%”; classtype:attempted-admin; sid:2003413; rev;1;)

    The email phish is something like this (victim names removed):

    ——————–

    Dear  (colo provider name) Inc. valued Members

Regarding our new security regulations, as a part of our yearly maintenance we have provided a security guard script in the attachment.

So, to secure your websites, please use the attached file and (for UNIX/Linux Based servers) upload the file "guard.php" in: "./public_html"
    or (for Windows Based servers which use ASP) upload the file "guard.asp" in: "./wwwroot" in your site.

If you do not know how to use it, you can use the following instruction:

For Unix/Linux based websites that use PHP/CGI/PERL:
1) Download the attachment named "guard.zip"
2) Extract file "guard.php"
3) Login to your site Control panel.
4) Open "File Manager" window.
5) Go through "Public_html" or "htdocs"
6) Choose "Upload Files"
7) Upload the file "guard.php"
8) Check its URL too “http://www.yoursite.com/guard.php”, if it is ok

For Windows based websites that use ASP:
1) Download the attachment named “guard.zip”
2) Extract file “guard.asp”
3) Login to your site Control panel.
4) Open “File Manager” window.
5) Go through “wwwroot” directory
6) Choose “Upload Files”
7) Upload the file “guard.asp”
8) Check its URL too “http://www.yoursite.com/guard.asp”, if it is ok

Thank you for using our services and products. We look forward to providing you with a unique and high quality service.

Best Regards

(colo provider name)  Inc.
    

    --------------------------------------
    

    Matt
    

				
				
    
					
						This entry was posted
						 
						on Tuesday, February 13th, 2007 at 10:46 pm						and is filed under General,  New Rules.
						You can follow any responses to this entry through the RSS 2.0 feed. 

													You can leave a response, or trackback from your own site.

						
					
				
    

			
    
		
    

	

	
    3 Responses to “Guard.zip Phish, Very targeted, Sig Available”
     

	
      

	
		
    1. 
			akgunk Says:
						
      

			June 1st, 2008 at 10:26 am

			
      where is the download guard.asp i need guard.zip
      

		
      2. 

	
	
		
    2. 
			Lance Says:
						
      

			June 21st, 2008 at 5:39 pm

			
      c81e72…
      

      e4da3b…
      

		
      3. 

	
	
		
    3. 
			Buck Says:
						
      

			August 7th, 2008 at 9:11 am

			
      FREE+ASIAN+BLOWJOBS…
      

      FREE+ASIAN+BLOWJOBS…
      

		
      4. 

	
	
	
    

 



    Leave a Reply
    


    You must be logged in to post a comment.
    


	
	
    



    		
			
    Entries (RSS)
                and Comments (RSS)
	  	  
    Copyright © 2007 Bleeding Edge Threats.
    
			All trademarks and copyrights on this page are owned by their respective owners. Snort® is a registered trademark of Sourcefire, Inc.